PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk

PR.AA-06 requires you to control who can physically reach systems and sensitive assets, watch for abnormal or unauthorized entry, and consistently enforce rules based on the asset’s risk. Operationalize it by classifying spaces/assets, implementing tiered access controls, monitoring and reviewing logs, and keeping tight joiner/mover/leaver and visitor processes with defensible evidence. ¹

Key takeaways:

• Treat physical access as a risk-based control: higher criticality assets need stronger barriers, tighter approvals, and more monitoring. ¹
• “Managed, monitored, and enforced” means documented rules, working mechanisms, and recurring reviews with corrective action. ¹
• Audit success depends on evidence: access lists, approvals, logs, reviews, and proof of revocation after role changes or termination. ²

PR.AA-06: physical access to assets is managed, monitored, and enforced commensurate with risk requirement is easy to “agree with” and still fail in practice. Most programs have a badge system, a reception desk, or a colo contract, but cannot show risk-based scoping, consistent approvals, log review, or timely removal of access across employees, contractors, and other third parties.

This requirement sits at the boundary between security, facilities, IT operations, and third-party management. That boundary is where gaps hide: shared keys with no inventory, “temporary” badges that never expire, camera footage that exists but is never reviewed, and data center access lists that don’t match HR rosters. PR.AA-06 expects you to close those gaps with clear ownership, a tiered model that matches protections to asset criticality, and proof that controls operate over time. ¹

Use this page as an execution guide. It translates PR.AA-06 into concrete steps, what to retain as evidence, the audit questions you will get, and a plan to get control of physical access quickly without boiling the ocean. ¹

Regulatory text

NIST CSF 2.0 PR.AA-06: “Physical access to assets is managed, monitored, and enforced commensurate with risk.” ¹

Operator interpretation (what you must do)

You must be able to show, for each class of asset and facility area, that:

1. Managed: Access rules exist and are applied (who gets access, how it’s approved, how it’s revoked, what authentication is required). ¹
2. Monitored: You can detect and investigate physical access events and anomalies (badge events, visitor entries, forced doors, data center entry, after-hours access). ¹
3. Enforced: Controls are not optional; exceptions are time-bound and tracked, and violations trigger action. ¹
4. Commensurate with risk: Stronger controls for higher-risk assets (production servers, network core, backup media, regulated records) than for low-risk areas (general office space). ¹

Plain-English requirement

Only the right people should be able to physically touch or enter areas that contain important systems or sensitive information, you should be able to tell when physical access goes wrong, and you must follow through when rules are violated. The closer someone gets to critical assets, the tighter your controls and your monitoring need to be. ¹

Who it applies to

Entity scope: Any organization operating a cybersecurity program that has physical assets supporting business services, including organizations that rely on third parties for facilities or hosting. ¹

Operational scope (common in audits):

• Corporate offices, leased spaces, and shared workspaces where company devices or records are present.
• Data centers (owned or colocation), network rooms, server closets, wiring closets, and backup storage.
• End-user computing storage areas (laptop storage, staging rooms) and secure printing/mail areas.
• Manufacturing/OT sites, labs, and test environments, if they support the organization’s services.
• Third-party sites where your assets live (colo cage, managed service provider facilities) or where third-party staff access your facilities as part of service delivery.

What you actually need to do (step-by-step)

1) Define what “assets” and “physical access” mean for your environment

Create a scoped inventory of physical assets and spaces that matter to cybersecurity outcomes:

• Spaces: offices, server rooms, cages, network closets, records rooms.
• Assets in spaces: servers, network devices, backup media, paper records, build pipelines, staging hardware.

Tie each to an owner (Facilities, IT, Security, Site Lead) and a system/service. This is the foundation for “commensurate with risk.” ¹

2) Classify areas into access tiers (risk-based zoning)

Use a simple zoning model that operators can follow. Example:

Zone	Examples	Typical risk	Required control posture
Public	Lobby, shared conference center	Low	Escort policy, visitor log
General	Standard office areas	Medium	Badge required, anti-tailgating expectations
Restricted	Network closets, IT storage	High	Role-based access, manager + asset owner approval
High Security	Data center cage, backup vault	Very high	Named access list, strong authentication, enhanced monitoring, strict visitor controls

Document the zones and map each facility/room to a zone. Review when you add new sites or materially change floorplans or hosting. ¹

3) Implement “managed” access: approvals, provisioning, and revocation

Build a joiner/mover/leaver workflow that covers employees and third parties:

• Provisioning: Access requests must name the zone/door, business justification, time window (if temporary), and approvers (manager plus zone/asset owner for restricted areas).
• Authentication: Use badges, keys, PINs, or biometrics appropriate to the zone. Avoid shared credentials for high-risk zones unless you have compensating controls and documented exceptions.
• Revocation: Terminations and role changes must trigger removal of access rights, return of keys/badges, and updates to door groups/cage lists. ¹

For third parties (cleaning crews, maintenance, IT contractors), treat physical access as third-party access: verify identity, restrict scope, set expiration, and require escort where risk warrants. ¹

4) Implement “monitored” access: logs, alerts, and investigations

Monitoring can be simple, but it must be intentional:

• Collect logs: Badge system access events, visitor management check-ins, security incident reports, and (where deployed) door alarms and camera coverage metadata.
• Define what you review: High security zones should have routine review of access logs and investigation of anomalies (after-hours entry, repeated denied attempts, entry without a paired exit event, access by separated staff).
• Escalate: Route anomalies to Security or Facilities with defined SLAs and case tracking.

If a third party controls monitoring (colo provider), your contract and oversight must give you access to reports and incident notifications relevant to your assets. ¹

5) Implement “enforced” access: rules, training, and consequence management

Enforcement is where many programs fail because it feels “HR-ish.” Keep it operational:

• Publish a physical security standard with zone rules (no propping doors, no badge sharing, escort requirements).
• Train staff and recurring onsite third parties on expectations.
• Track exceptions (e.g., a short-term construction project) with an owner, expiration date, and compensating controls.
• Record corrective actions for violations (badge misuse, tailgating, unescorted visitors). ¹

6) Prove “commensurate with risk”: link zones to asset criticality

Auditors will test whether protections match impact. Prepare a mapping:

• Critical services/systems → physical location(s) → zone classification → controls and monitoring.
• Explain why lower-tier controls are sufficient for low-risk areas.
• Show that high-risk assets have stronger controls and more frequent oversight. ¹

7) Assign ownership and set a recurring evidence cadence

Name a control owner and define what evidence is produced and reviewed. A lightweight but defensible cadence matters more than a perfect policy.

If you use Daydream to run your control program, map PR.AA-06 to a single control record with owners (Facilities + Security), test steps, and recurring evidence tasks so access reviews and log checks do not depend on memory. ²

Required evidence and artifacts to retain

Keep evidence that shows design and operation over time:

Governance and design

• Physical security/access control policy or standard with zone definitions.
• Site/space-to-zone mapping and an asset-to-location mapping for critical assets.
• Role definitions for who can approve access by zone.

Operational execution

• Access request tickets/approvals for restricted/high security zones.
• Current access lists for sensitive areas (badge groups, named lists for cages/rooms).
• Joiner/mover/leaver records showing provisioning and revocation.
• Visitor logs (including escort assignment where required).
• Incident records for physical security events and corrective actions.
• Periodic access review sign-offs and results (including removals).
• Monitoring artifacts: sample badge logs, anomaly review notes, escalations, and outcomes.

Third-party oversight

• Contracts/SOW clauses or provider attestations for facility controls (for colo/MSP).
• Reports or access event summaries from third parties tied to your assets. ¹

Common exam/audit questions and hangups

Expect these, and pre-build the packet:

1. Show your list of restricted areas and who has access. Hangup: access lists are exported ad hoc and not reviewed by an owner.
2. How do you remove access when someone leaves or changes roles? Hangup: HR termination triggers IT disablement but not facilities revocation.
3. Do third parties have unescorted access? Why? Hangup: cleaning/maintenance has broad keys without documented risk acceptance.
4. Do you review physical access logs? What do you look for? Hangup: “We have cameras” without a review process or retained evidence.
5. How do you enforce tailgating and badge sharing rules? Hangup: policy exists but there are no incidents, exceptions, or disciplinary pathways recorded. ¹

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails PR.AA-06	Fix
Treating badge issuance as the whole control	“Managed” without “monitored/enforced” is incomplete	Add log review + incident workflow tied to zones
Shared keys or shared door codes for high-risk rooms	No accountability, weak enforcement	Move to named access, rotate codes, document exceptions
No time-bound access for contractors	Access creep becomes permanent	Require expiration dates and periodic recertification
Colo access handled “by the provider”	You still own the risk for your assets	Contract for reports, access lists, and incident notification
Evidence scattered across Facilities and Security	Audits become a scavenger hunt	Centralize in a control record (policy, lists, reviews, logs)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so you should treat PR.AA-06 as a framework expectation rather than a standalone enforcement citation. The risk is still concrete: weak physical access control enables theft of devices/media, tampering with network gear, unauthorized console access, and bypass of logical controls. PR.AA-06 reduces that exposure by making physical access predictable, reviewable, and traceable. ¹

Practical execution plan (30/60/90)

Use this as an operator’s sprint plan. Adjust scope to your footprint and risk.

First 30 days (stabilize and scope)

• Assign owners (Facilities + Security + IT) and define the in-scope sites/rooms.
• Build the zone model and map each site/room to a zone.
• Export current access lists for restricted/high security zones; identify obvious outliers (terminated staff, broad contractor access).
• Stand up a basic evidence repository and control record for PR.AA-06, including planned recurring evidence. ²

By 60 days (operate the control)

• Implement approval workflow for restricted/high security zones (ticketing + required approvers).
• Implement termination/role-change revocation steps that include facilities actions (badge disablement, key return).
• Start periodic access reviews for high-risk zones; track removals and remediation.
• Define monitoring: what logs are reviewed, by whom, and what triggers an investigation.

By 90 days (make it audit-ready)

• Run an end-to-end test: request access, approve, provision, review logs, revoke access, retain evidence.
• Formalize exception management for physical access (time-bound, owner, compensating controls).
• For third-party facilities, confirm you can obtain access reports and incident notifications tied to your assets.
• Package your audit artifacts: policy/standard, zone map, access lists, reviews, sample tickets, monitoring records, and corrective actions. ¹

Frequently Asked Questions

Do we need cameras everywhere to meet PR.AA-06?

NIST CSF PR.AA-06 does not mandate specific technology in the provided excerpt. You need monitoring appropriate to risk, which can include badge logs, visitor logs, door alarms, and targeted camera coverage for high-risk zones. ¹

How do we handle third-party technicians who need after-hours access?

Require time-bound access tied to a ticket, restrict them to specific zones, and require escort for higher-risk areas unless you document an exception with compensating controls. Retain entry records and the approval. ¹

What counts as “assets” for physical access control?

Include spaces and items where physical presence can affect confidentiality, integrity, or availability: servers, network devices, backup media, and areas where sensitive records or privileged consoles exist. Map assets to locations so you can justify risk-based controls. ¹

Our HR offboarding is strong; why do auditors still flag physical access?

Offboarding often disables logical accounts but misses badges, keys, and shared door codes. PR.AA-06 expects physical access to be revoked and evidenced, not assumed. ¹

We are fully cloud-hosted. Does PR.AA-06 still apply?

Yes, because you still have physical assets (endpoints, networking gear, offices) and you may rely on third parties for facilities. For cloud provider data centers, focus on third-party oversight evidence and your own facility controls. ¹

What is the minimum evidence set to keep this from becoming a “trust me” control?

Keep the zone map, current access lists for restricted/high security zones, a sample of approved access requests, periodic access review sign-offs, and proof of revocation for leavers/movers. Add monitoring review notes for higher-risk zones. ²

Footnotes

1. NIST CSWP 29

2. NIST CSF 1.1 to 2.0 Core Transition Changes